Identity-Based Encryption with (Almost) Tight Security in the Multi-instance, Multi-ciphertext Setting

Abstract: We construct an identity-based encryption (IBE) scheme that is tightly secure in a very strong sense. Specifically, we consider a setting with many instances of the scheme and many encryptions per instance. In this setting, we reduce the security of our scheme to a variant of a simple assumption used for a similar purpose by Chen and Wee (Crypto 2013). The security loss of our reduction is O(k) (where k is the security parameter). Our scheme is the first IBE scheme to achieve this strong flavor of tightness un… Show more

“…In this section, we show how to remove the -type assumption of the MS-secure Gentry-Waters scheme in Section 4 by using Hofheinz-Koch-Striecks techniques [19], where the original Gentry-Waters scheme is lifted to composite order groups.…”

“…Let UH be a family of universal hash functions H : → {0, 1} with the property that for any nontrivial subgroup ⊆ and for H ← UH, ← and ← {0, 1} , we have SD((H, H( )), (H, )) = O(2 − ). In addition, the resulting scheme relies on the following assumptions [19].…”

“…Here, tight security means that the security loss is a constant. Hofheinz, Koch, and Striecks [19] extended Chen and Wee's proof technique [20] to the multiuser/multichallenge setting and provided an almost tightly secure identity-based encryption (IBE) in the same setting, where the security loss only relies on the security parameter instead of the number of queries or instances of the scheme. Hence, an extension of broadcast encryptions in the multiuser/multichallenge setting is natural.…”

“…The reduction loss on the underlying symmetric key encryption is , while the reduction on BDHE is tight due to the random self-reducibility of BDHE assumption, which is not implied by the general result of [17]. To remove the BDHE assumption, our second method applies the Hofheinz-Koch-Striecks techniques [19] to Gentry-Waters' semistatic secure broadcast encryption. The resulting scheme is essentially the Hofheinz-Koch-Striecks IBE scheme instantiated in a composite order group, while the user's decryption key of broadcast encryption is expressed in a different way from that of [19].…”

“…To remove the BDHE assumption, our second method applies the Hofheinz-Koch-Striecks techniques [19] to Gentry-Waters' semistatic secure broadcast encryption. The resulting scheme is essentially the Hofheinz-Koch-Striecks IBE scheme instantiated in a composite order group, while the user's decryption key of broadcast encryption is expressed in a different way from that of [19]. Both methods can turn Gentry-Waters' semistatically secure broadcast encryption into a MA-secure one with constant-size ciphertext header.…”

Adaptive Security of Broadcast Encryption, Revisited

“…In this section, we show how to remove the -type assumption of the MS-secure Gentry-Waters scheme in Section 4 by using Hofheinz-Koch-Striecks techniques [19], where the original Gentry-Waters scheme is lifted to composite order groups.…”

“…Let UH be a family of universal hash functions H : → {0, 1} with the property that for any nontrivial subgroup ⊆ and for H ← UH, ← and ← {0, 1} , we have SD((H, H( )), (H, )) = O(2 − ). In addition, the resulting scheme relies on the following assumptions [19].…”

“…Here, tight security means that the security loss is a constant. Hofheinz, Koch, and Striecks [19] extended Chen and Wee's proof technique [20] to the multiuser/multichallenge setting and provided an almost tightly secure identity-based encryption (IBE) in the same setting, where the security loss only relies on the security parameter instead of the number of queries or instances of the scheme. Hence, an extension of broadcast encryptions in the multiuser/multichallenge setting is natural.…”

“…The reduction loss on the underlying symmetric key encryption is , while the reduction on BDHE is tight due to the random self-reducibility of BDHE assumption, which is not implied by the general result of [17]. To remove the BDHE assumption, our second method applies the Hofheinz-Koch-Striecks techniques [19] to Gentry-Waters' semistatic secure broadcast encryption. The resulting scheme is essentially the Hofheinz-Koch-Striecks IBE scheme instantiated in a composite order group, while the user's decryption key of broadcast encryption is expressed in a different way from that of [19].…”

“…To remove the BDHE assumption, our second method applies the Hofheinz-Koch-Striecks techniques [19] to Gentry-Waters' semistatic secure broadcast encryption. The resulting scheme is essentially the Hofheinz-Koch-Striecks IBE scheme instantiated in a composite order group, while the user's decryption key of broadcast encryption is expressed in a different way from that of [19]. Both methods can turn Gentry-Waters' semistatically secure broadcast encryption into a MA-secure one with constant-size ciphertext header.…”

Adaptive Security of Broadcast Encryption, Revisited

Public‐Key Encryption and Security Notions

Identity-Based Encryption Tightly Secure Under Chosen-Ciphertext Attacks